I've received numerous complaints from my customers about having their password sent through email. Most people use the same password for all sorts of sites. And email is increasingly insecure. Google openly admits to scraping all their gmail's for marketing purposes, for example. And from personal experience, my yahoo account was hacked by someone last year; they had full access to all my emails. So sending passwords via email is increasingly being considered a bad practice.

So, a reset password capability is on my short todo list. Any chance you could add something like this soon?

This is the core way that DNN 7 has password reset now vs retrieval. Although it's an option for older dnn sites and can still be enabled, it's discouraged and not the new, more secure way going forward. Many ecommerce, PCI and PABP compliant sites, etc cannot have the email go out with password in it.

Mitch Sellers, before the system was worked out in DNN 7, wrote a module that could be used to do the same thing in older DNN 5 and 6 sites. Actually, it could be used here with the Advanced Login module as a replacement page for the forgot password form/action if needed.

Before I go into that setup, however, I wanted to check on timeline for this. I can't imagine that you can go too much longer without incorporating an allowance for this important new security feature that is the default setting in DNN 7 now. Is this something you will add in the next few months? Or have you already tackled it?

In the change notes for the module, i think I saw that you'd already worked on it or had been working on it around version 62.06.15 (seen below) But I don't see notes in the instructions or tokens or templates.

Advanced Login 62.06.15 2013-07-12

Changes:

- Improved the module to allow a password reset to be applied when web.config does not allow the retrieval of passwords.

Dear [User:DisplayName],
You have requested a Password Reset Token from [Portal:PortalName].
Please login using the following information:
Website Address: [Portal:URL]
Username: [User:Username]
Link to reset password: http://[Portal:URL]/default.aspx?ctl=PasswordReset&resetToken=[Membership:PasswordResetToken]
Sincerely,
[Portal:PortalName]
*Note: If you did not request a Password Reset Token, please disregard this Message.

If Advanced Login allows access to tokens such as [Membership:PasswordResetToken], then we could do what is needed.

That is great to hear! I was just about to give up and switch to the native DNN Password Reset facility. But I'd really like to continue using Advanced Login for custom redirection (as well as login with captcha and password resets).

Any timeframe for an update? I would be glad to be a beta tester if needed.

Thanks for posting the updated module. I have uploaded and installed Advanced Login 62.06.36 on my client's website.

When I go to edit the "Recovery Email Template", the list of tokens doesn't display any equivalent token for the DNN [Membership:PasswordResetToken]. I would expect something like [PasswordResetToken] or [PasswordResetURL] in the list. It is also not found in the PDF manual file.

So this doesn't give any clues about how implement a password reset URL.

Finally, when I actually try to DO a password reset as a user, the "Password Recovery Template" is used as expected for the web page, but the email that is sent to the user is based on the DNN GlobalResources\GlobalResources\EMAIL_PASSWORD_REMINDER_BODY.Text string, NOT the "Recovery Email Template" specified in Advanced Login. So this gives me the control I need, but I don't think it is what Advanced Login users would expect.

Bottom line: This is better and workable Password Reset feature now and I am glad for that. But it could be better documented and work as expected with the
"Recovery Email Template" template. Or perhaps I'm just misunderstanding something that could be cleared up.